Documente Academic
Documente Profesional
Documente Cultură
Government from
Cyber Attacks
A Model Every Organization Can Learn From
HACKERONE 1
Introduction
The U.S. Department of Defense (DoD), in a first for the U.S.
Federal Government, invited white hat hackers to find security
flaws in systems run by the Pentagon, Air Force, and Army. What
they learned helped the DoD bolster their cyber defenses and
prove the benefits of hacker-powered security to a wide range of
government agencies and organizations like yours!
Hack Us!
In April 2016, the DoD took a bold step: they
launched the first bug bounty program in the history
of the Federal Government. It was just a month-long We need to understand where
program, but it was the start of a flurry of activity our weaknesses are in order to
from other government agencies who not only fix them, and there is no better
launched more hacker-powered security programs, way than to open it up to the
but published guidance on how to leverage this global hacker community.
powerful tool in the fight against cyber attacks.
CHRIS LYNCH
Today, agencies as diverse as the Federal Trade Director of Defense Digital Service
Commission, the Food and Drug Administration, Photo by Stephanie Dreyer
HACKERONE 2
It Began with
Hack the Pentagon
Hack the Pentagon was a security initiative taken by the DoDs
Defense Digital Service (DDS) team. Launched as a bug bounty pilot
program, it gained support from then Secretary of Defense Ash
Carter, and, according to DDS, exceeded all expectations.
ASH CARTER
Hack the Pentagon was designed to identify and resolve security
Former U.S. Secretary of Defense
vulnerabilities within the Defense Departments public-facing
websites. The first report was submitted 13 minutes after launch,
and within 6 hours, that number grew to nearly 200.
Over the course of the 24-day program, more than 1,400 hackers
registered to participate, with 250 working to submit a new report
every 30 minutes on average. As part of the HackerOne program,
DDS leveraged HackerOnes triage services, which allowed the DDS
security team to focus on resolving valid reports.
HACKERONE 3
STRONGER RESULTS
Of the valid reports submitted during Hack the Pentagon, 138
were found to be legitimate, unique and eligible for a bounty,
earning hackers a combined $75,000 in total bounty rewards.
13 MINUTES 1,410
REPORTS SUBMITTED
IN FIRST 6 HOURS BOUNTIES PAID
200 $75,000
HACKERONE 4
Then Hack the Army
...and More TIME TO FIRST
VULNERABILITY REPORT
Within months of the successful Hack the Pentagon program, the DoD
expanded their relationship with HackerOne to extend 3 years and provide
5 MINUTES
hacker-powered security to multiple departments. Their next program,
ELIGIBLE HACKERS
Hack the Army, was driven by Secretary of the Army Eric Fanning. PARTICIPATING
As the most ambitious federal bug bounty program to date, Hack the
Army targeted operationally significant websites, including those mission
371
critical to recruiting. The program aimed to engage with the diverse talent TOTAL REPORTS
of the hacker community and supplement the existing security efforts of RECEIVED
the Army red teams and the DDS.
416
Running little more than 3 weeks, the programs results were nothing less
than spectacular. BOUNTIES PAID
HACKERONE 5
HACKER CREATIVITY BEATS
AUTOMATION
Beyond the overall success of Hack the Army, an
Im done with being afraid to
extremely critical vulnerability was discovered by a
know what our vulnerabilities
hacker who creatively chained together a series of
are. Thats not okay.
bugs. Exploiting the combination of vulnerabilities
provided access to an internal DoD website that CHRIS LYNCH
should have required special credentials. An open Director of Defense Digital Service
proxy enabled access to the network, but only a
highly skilled hacker could recognize the several
independent flaws underlying the vulnerability.
Automation alone is rarely capable of such leaps
of logic, and likely would not have highlighted this
complex issue.
VULNERABILITY DISCLOSURE:
MODERN APPLICATION SECURITY 101
Shortly after Hack the Army was announced, and in a first for the The return on investment is
U.S. government, the DoD introduced a Vulnerability Disclosure incredible, both in terms of
Policy (VDP) on HackerOne. The VDP gives hackers clear guidance cost and in terms of making
on how to legally test for and disclose vulnerabilities in DoDs government assets more
public-facing websites, including those outside of the other time- secure.
bound challenges.
HUNTER PRICE
In the past year, the DoD has thanked over 360 Director of Air Force Digital Service
hackers for disclosing potential vulnerabilities,
and has maintained an average time to first
response of just 2 days.
HACKERONE 6
Now Hack the Air Force
Next on the docket for the DoD was Hack the Air Force, which was their largest program
of the time and which expanded to include participants from partner nations Australia,
Canada, New Zealand, and the United Kingdom. As the biggest federal bug bounty
program to date, Hack the Air Force targeted operationally significant websites and
online services. The goal was to explore new approaches to security and to adopt the
best practices used by the most successful and secure software companies in the world.
Again, support from the top netted both awareness and validity to their hacker-
powered security efforts. The program was announced by Air Force Chief Information
Security Officer Peter Kim at HackerOne headquarters, with Kim disclosing that
this was the first time the Air Force opened its networks to such broad scrutiny.
We have malicious hackers trying to get into our systems every day, Kim added.
It will be nice to have friendly hackers taking a shot and, most importantly,
showing us how to improve our cybersecurity and defense posture. The
additional participation from our partner nations greatly widens the variety
of experience available to find additional unique vulnerabilities.
With programs like Hack the Air Force, the DoD is redefining American defenses
in the digital era. But, as with every new initiative, success relies on results.
HACKERONE 7
HIGH-FLYING RESULTS
Hack the Air Force instantly became the most
TIME TO FIRST
successful government-run, hacker-powered VULNERABILITY REPORT
security program in history, nearly doubling the
results of the first Hack the Pentagon program 1 MINUTE
from a year prior. Running for most of June
2017, the program resulted in 207 discovered ELIGIBLE HACKERS
vulnerabilities, the first of which was reported in PARTICIPATING
$130,000
On the hacker side, 33 participants came from
outside the U.S., and a 17-year-old from Chicago
earned the largest total sum for 30 discoveries.
HACKERONE 8
Expanding Across
the Federal
Government
Automotive industry members should
consider creating their own vulnerability
report/disclosure polities, or adopting
polities used in other sectors or in technical
As hacker-powered security takes hold in the private standards. Such polities would provide any
sector, government entities are following the DoDs external cybersecurity researcher with
lead in expanding the use of these valuable programs. guidance on how to disclose vulnerabilities
The entry point for most organizations are vulnerability to organizations that manufacture and
disclosure policies and programs designed to help design vehicle systems.
improve security and reduces risk.
NATIONAL HIGHWAY TRAFFIC SAFETY
In keeping with the government angle, VDPs are ADMINISTRATION (NHTSA)
often compared to the U.S. Department of Homeland Cybersecurity Best Practices for Modern Vehicles
Securitys If You See Something, Say Something
program, which implores citizens to alert authorities
when they see something you know shouldnt be
there. VDPs serve the same purpose by giving people a
way to report the something that seems amiss.
(Medical device) Manufacturers
Since software, hardware, and other cyber security
should adopt a coordinated vulnerability
issues generally require a high level of technical
disclosure policy.
expertise to even notice, let alone understand, those
who see the issues often have the skills to also exploit FOOD AND DRUG ADMINISTRATION (FDA)
them, if they so choose. While some see VDPs as a Management of Cybersecurity in Medical Devices
HACKERONE 9
PUBLIC OR PRIVATE,
VDPS ARE TABLE STAKES
The expectation of implementing a VDP has grown to include ISO/IEC 29147, which
specifically covers vulnerability disclosures. The standard provides guidelines for vendors
on how to receive information about potential vulnerabilities, how to disseminate resolution
information, and provides examples of content that should be included in a policy.
All of this and more has led private-sector companies like Adobe, General Motors, and
New Relic to leverage VDPs to improve their security posture. Some of these programs
collect hundreds of bug reports per quarter, with up to two-thirds of those reports
being confirmed as valid and previously-unknown, which are subsequently fixed.
But not everyone is working to close their security gaps. According to the Hacker-
Powered Security Report 2017, 94 percent of the Forbes Global 2000 do not have known
vulnerability disclosure policies, even with prodding from government agencies.
Growth in the public sector is slower, but growing. The General Service
Administrations Technology Transformation Service (TTS) recently launched
the first bug bounty program administered by a civilian federal agency. By taking
the learnings of the DoDs time-bound programs, TTS created an ongoing
bounty program more typical of non-governmental organizations.
In their first month, TTS paid out nearly $7,000 in bounties for
19 resolved reports. They thanked 15 hackers in that same
time, with individual bounties ranging from $150 to $2,000.
HACKERONE 10
Getting Your Organization
Started
Putting a VDP in place is the first step in leveraging hacker-powered security for any
organization, regardless if its a small private company, a large global enterprise, or a
government entity. Then, move on to time-bound bounties, hacker-powered alternatives
to penetration tests, or a continuous bounty program.
HOW IT WORKS
The typical HackerOne Challenge is a discreet, one month engagement with HackerOnes
best hackers, and comes with a detailed summary report with complete results.
HACKERONE 11
Start Your
Hacker-Powered
Security Journey
Today